cybersecurity

As the regulatory burden increases, organizations and CISOs are having to take ownership of cyber risk, but it needs to be seen through the lens of business risk, according to Kayne McGladrey, field CISO with Hyperproof. Cyber risk is no longer simply a technology risk. “The problem is, organizationally, companies have separated those two and have their business risk register and their cyber risk register, but that’s not the way the world works anymore,” says McGladrey.

He believes the Securities and Exchange Commission (SEC), the Federal Trade Commission, FTC and other regulators in the US are trying to promote collaboration among business leaders because cyber risks are functionally business risks. McGladrey thinks most CISOs understand this, but that doesn’t necessarily extend to the other leaders in the business. “Can we just please have one risk conversation with people and plan that out appropriately,” he says.

On Tuesday, the White House announced that we’ll soon get those IoT labels: The US Cyber Trust Mark, which looks like a shield with a microchip on it, will be on products that have cybersecurity protections. Kayne McGladrey, field CISO for Hyperproof, expressed reservations about the mark. His concern is that Cyber Trust Marked devices could be sold at a premium to account for the increased cost of cybersecurity measures, which could lead to most consumers simply choosing whatever’s cheaper, rendering the program ineffective. He also noted that it won’t address all the devices that pre-date the Cyber Trust Mark and are already in people’s homes. “For example, LED light bulbs have lifespans of tens of thousands of hours, which means that insecure light bulbs will be a feature of the IoT landscape for the coming decade or longer,” McGladrey said in an email.

“Discord initially was used as a way for gamers to hold real-time voice and text chats in games that either didn’t support real-time communications or where the in-game system wasn’t robust,” says Kayne McGladrey, a senior member of IEEE, a professional organization for technology and engineering. But the platform gained popularity, particularly during the COVID-19 shutdown. “During the pandemic, Discord emerged as a free alternative to Zoom for gamers, friends, cryptocurrency enthusiasts, and other communities to host remote events,” McGladrey says.

Discord relies heavily on server moderators to enforce community rules, IEEE Senior Member Kayne McGladrey said via email. This moderation is done on a server-by-server basis.  

“In practice, this enables smaller private servers to feature far more informal conversations and rules than a public community server – it’s possible that kids can see hateful content, such as racism or cyber-bullying, happen on these types of servers where the moderators are less engaged,”  McGladrey added. 

Confidential computing also is an emerging technology meant to protect data in use, said McGladrey of the IEEE.

“Confidential computing can allow the processing of data from multiple parties without sharing the input data with those other parties,” he said. “For example, if an organization wants to perform processing on a large set of healthcare data collected from multiple third-party organizations, properly configured confidential computing potentially permits those third parties to provide their data for processing in aggregate. In this scenario, not even the cloud provider can see the cleartext data provided by the third parties, or the results.”

In this YouTube video, Scott Schober interviews Kayne McGladrey, Field CISO for Hyperproof about cybersecurity and the challenges faced by CISOs. Kayne discusses the importance of aligning cybersecurity risk with business risk and the need for CISOs to be more involved with board-level decision making. He also talks about his work at Hyperproof to automate compliance and security operations, making it easier for teams to focus on creative problem solving and strategy.

It’s no surprise that security and compliance professionals are concerned about the effects a potential recession may have on their budgets. Cyber incidents and business interruptions have been the two worldwide corporate risk concerns for two years running, according to Allianz, and the World Economic Forum recently found that cybersecurity is the fifth top risk worldwide in 2023. Yet, over 66,000 tech jobs were cut in the first two months of 2023 due to recessionary factors, and over half of organizations struggle with identifying where the critical risks are in order to figure out what remediations to prioritize. The risk of paying fines and penalties is increasing as the FTC, SEC, NYDFS, and other regulatory agencies are leaning into enforcement rather than sanctions.

Let’s examine an end-to-end process that organizations can use annually to evaluate which controls are effectively reducing risks, and which controls could be removed or replaced to create budgetary efficiencies

A hacker can say that an institution has 90 days to fix a vulnerability before publicly divulging the secret, and for the vulnerable bank or credit union, that might come off as extortion or a threat. However, it is well within the boundaries of normal security research to do that, according to Kayne McGladrey, Field CISO for the security and compliance company Hyperproof.

“If the company doesn’t respond in a timely manner, that’s where you can get vulnerability disclosures after a reasonable period of time, like 90 or 120 days, or 180 days, depending on which philosophy the researcher subscribes to,” McGladrey said. “That’s all well within the ethical boundaries of a normal security researcher.”

The key difference between an ethical and unethical hacker — between extortion and responsible disclosure — is what the hacker does with the vulnerability.

“I think it’s very possible to say you can prove you can use this vulnerability — maybe it’s to steal a whole bunch of credit card information — without actually doing it,” McGladrey said. “You just show that you can.

Tune into this ISACA Episode as Hyperproof’s Field CISO, Kayne McGladrey, speaks with ISACA’s Jeff Champion on how 2023 will be the year of risk.

* Deep dive look into interpreting the different emerging US data privacy state laws and the consequences of non-compliance

* Learn about the requirements of the SEC cybersecurity rules and the ramifications for public companies

* Discuss the security programs that need to be implemented to comply with local and international regulations and rules.

In this episode of the EM360 Podcast, Analyst Richard Stiennon speaks to Kayne McGladrey, Field CISO at Hyperproof to explore: Automating compliance controls vs SOAR automation, Helping CISOs, and if one master set of controls cover multiple frameworks

Hosts Kayne and Tom talk about how to create the Authorization Boundary, a cornerstone of the System Security Plan (SSP) as part of FedRAMP certification. Includes beer tasting notes for Black Butte Porter.